z

Weaving the three critical attributes –Data Integrity, Data Quality and Data Security

Namrata BelekarSIRO Clinpharm Pvt. Ltd

z

Index

1. Regulatory bodies2. Basics of 3 attributes3. Clinical data- Guidance for industry4. Fraud and Misconduct5. Violations

1. Fraud cases2. FDA Warnings3. HIPAA Violations

6. HIPAA Action plan7. Application level safeguards8. Data level safeguards9. How to detect frauds? Detecting signals10.Key takeways

z

Regulatory bodies

FDA

PMDA

EMA

DCGI

Industry Guidelines

Data Integrity

Data Quality

Regulatory bodies

Data Security

…………

z

Data Integrity

Data integrity refers to the correctness and completeness of data (ALCOA)Data integrity types – Entity integrity and Referential integrity

Data Quality

Data Protection

Firewall

Password protected

Authorizedaccess

Physical cabinet

Enter

Clean

Improve

Monitor

Analyze

Data Security

z

FDA’s Acceptance of Electronic Source Data

• Electronic data must meet the same fundamental elements of data quality and integrity (complete and consistent) expected of paper records.

• Acceptance depends on FDA’s ability to verify it.

Data

IntegrityData

Quality

Verification by FDA

z

So, what if these guidelines are not followed?

o What are Fraud cases? GCP findings by MHRA?o What are FDA warning letters?o What are the HIPAA violations?

z

Case 1

• Promotion of a best-selling antidepressants for unapproved uses

• Fails to report safety data

• Paid $3 billion in fines

Case 2

• 18-year-old subject participated in a gene therapy study

• No adverse events reported

• Study team eager to achieve success

• Subject died as a result of serious toxicity

Fraud cases in Pharma

z

GCP inspections- Critical finding by MHRA - 2017

1. Computer System Validation(CSV) documentation of eCRF software release- Final version of User and Design specification, Traceability matrix were not available

2. TMF records keeping/ Essential documents – Documetns were named incorrectly, misfiling, duplication ,etc

3. Subjects Enrollment by Principal investigator(PI)- 20% enrolled were ineligible due to previous medical history and medication records

4. ePRO diary data updated based on DCF were not acceptable as it was lacking the audit trail in database.

z

FDA Warning letters– 2019

4

Case Violation/ Non-compliance (post receipt of Form 483s inappropriate responses)

Company 1 • Violations in cGMP in HP plant (under FD&C Act)• Marketed batches exposed to temperatures outside the

labelled storage conditions.

Company 2 • Misbranded and unapproved new drug sale of mifepristone with misoprostol, labelled for the termination of pregnancy.

FDA Warning letter- Official message from US FDA to manufacturer or other organization if form 483s CAPA are inappropriate, and demands prompt voluntary compliance with the Act.

z

HIPAA Violations – Case studies

CompanyName

Reason Penalty Corrective action

Company 1

A laptop bag was stolen from an employee’s car which contained: • employee’s computer • unencrypted backup media, which

contained the names, addresses, dates of birth, SSN, and clinicalinformation of approximately 55,000 individuals

$7,50,000 ▪ Develop an organization-wide risk analysis and risk management plan; and

▪ Train appropriate employees on all policies and procedures newly developed or revised pursuant to its corrective action plan.

Company 2

An unencrypted, password-protected laptop was stolen from a business associate’s workforce member’s locked vehicle, impacting the ePHI of 9,497 individuals

$15,50,000

z

Preparing for how to respond to an incident after it happens can be just as important as how an entity prepares itself to prevent incidents.

- from HIPAA lessons learnt

z

HIPAA Action plan

➢ Protection from Malicious Software- Hackers: Conduct risk analysis to identify such threats and vulnerabilities within environment, and implement appropriate security measures (e.g., patching, firewalls, data encryption methods) through their risk management plans (RMP).

➢ Business Contingency Plan(BCP): Natural disasters as well continuing cyberattacks, to ensure effective recovery in the healthcare sector following disasters.

➢ Access Control: to ensure user access levels are appropriate and support core functions➢ Information System Activity Review: To help identify malicious activity and alert the

organization of an intruder➢ Audit Controls with effective review process (Quality): help identify and mitigate threats

from malicious insiders➢ Security Incident Procedures: Ineffective procedure can prolong a breach and actions

perpetrated by malicious actors. Well-tested security incident procedures can prepare an organization to effectively respond to all manner of security incidents

z

Computerized Systems Used in Clinical Investigations

Internal Safeguards External Safeguards

Individual login Account System

Audit trail Documentation

Application SOPs Training

z

Other Safeguards.. 21 CFR Part 11 (2003)

Electronic signatures should consists of the following aspects:

a) Printed name of the signerb) Date and time when the signature was executedc) Meaning (such as review, approval, or

authorship) associated with the signature or In/out details

d) Each eSign should be unique to one individual

• Establishes the requirement under which the FDA accepts electronic records & electronic signatures as equivalent to paper-based records & handwritten signatures

• Permits verification that electronic information submitted to the Agency accurately represents the original source data

z“Rather fail with honor than succeed by FRAUD.”

-Sophocles

z

Company reputation

Data validity compromisedSubmission jeopardized

Failed to maintain study compliance

Failed to monitor study progress

CROSponsor

Submission of false information

Additional costs Business reputation

FinesLegal expensesDisqualification License revocation

Subject’s safety at risk

5

z

Visit

Originals

AssessmentInformed

Consent Form

Patient ABC

Visits on weekends and holidays; Site location?

Meeting schedules too perfectly

-100 % Dose compliance -Perfect efficacy scores for all

subjects

-No SAEs reported-Less records of MH or conmed

-No variability in findings of lab tests, vitals---Too many PDs

Same date/ time of ICF of many subjects in a site/ country

- Identical DOB-Multiple sites

registration

How to identify Frauds? – Detecting signals Aspects to be focused on Ongoing basis… Data level

z

1. Comparison of data– using VLOOKUP, SORT, IF

condition excel functions

Example:• Central lab load v/s AEs• Eligibility v/s randomization

2. Same Same Different – using SORT, IF ()Used to find duplicate valuesExample: Lab values, ECG values across visits

How to detect these signals?- Mining the data

z

3. 80-20 principle - Can be applied to find out query trends, for recruitment rates

4. Audit trail report analysis -• Entry by any other personnel than investigator/ site staff•Can act as objective evidence when it comes to uncovering fraud

5. Visualizing data trends

0

50

100

150

01 02 03 04 05 06 07 08 09 10

No. of queries

How to detect these signals?- Mining the data

z

Aspects to be focused on Ongoing basis… Data level

•Program edit checks ensuring all scenarios and validate it

•Incorporate prompts, edit checks, derived fields for data repopulation.

•CDASH compliant for standardized analysis Database

• Provide status reports to reduce the TAT like data entry, answered queries, SAEs noted, login frequency

•Metrics to capture missing data, queries, and email notifications that triggered to site staff for inaccurate, missing data should be configured.

Study data

z

Conclusion - Weaving these 3 attributes…Key takeways

CDM should ensure each database, eCOA app, medical device, other applications used, to be compliant with the following:1. Industry guidelines2. Study protocol requirements3. Operationally feasible to use4. End points can be derived from the collected data

❖Be responsible for data, collaborate with all the stakeholders from the

beginning and ensure protection at all levels

z

Thank you